Fix a heap buffer overflow in find_archive()

sharutils-4.15.2-Fix-a-heap-buffer-overflow-in-find_archive.patch

@@ -0,0 +1,58 @@
+From 1067cdba6d08f2a765cb0ea371189a5b703eb4db Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
+Date: Thu, 22 Feb 2018 16:39:43 +0100
+Subject: [PATCH] Fix a heap-buffer-overflow in find_archive()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+rw_buffer has allocated rw_base_size bytes. But subsequend fgets() in
+find_archive() reads up-to BUFSIZ bytes.
+
+On my system, BUFSIZ is 8192. rw_base_size is usually equaled to
+a memory page size, 4096 on my system. Thus find_archive() can write
+beyonded allocated memmory for rw_buffer array:
+
+$ valgrind -- ./unshar /tmp/id\:000000\,sig\:06\,src\:000005+000030\,op\:splice\,rep\:4
+==30582== Memcheck, a memory error detector
+==30582== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
+==30582== Using Valgrind-3.13.0 and LibVEX; rerun with -h for copyright info
+==30582== Command: ./unshar /tmp/id:000000,sig:06,src:000005+000030,op:splice,rep:4
+==30582==
+==30582== Invalid write of size 1
+==30582==    at 0x4EAB480: _IO_getline_info (in /usr/lib64/libc-2.27.so)
+==30582==    by 0x4EB47C2: fgets_unlocked (in /usr/lib64/libc-2.27.so)
+==30582==    by 0x10BF60: fgets_unlocked (stdio2.h:320)
+==30582==    by 0x10BF60: find_archive (unshar.c:243)
+==30582==    by 0x10BF60: unshar_file (unshar.c:379)
+==30582==    by 0x10BCCC: validate_fname (unshar-opts.c:604)
+==30582==    by 0x10BCCC: main (unshar-opts.c:639)
+==30582==  Address 0x523a790 is 0 bytes after a block of size 4,096 alloc'd
+==30582==    at 0x4C2DBBB: malloc (vg_replace_malloc.c:299)
+==30582==    by 0x10C670: init_unshar (unshar.c:450)
+==30582==    by 0x10BC55: main (unshar-opts.c:630)
+
+This was reported in
+<http://lists.gnu.org/archive/html/bug-gnu-utils/2018-02/msg00004.html>.
+
+Signed-off-by: Petr Písař <ppisar@redhat.com>
+---
+ src/unshar.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/unshar.c b/src/unshar.c
+index 80bc3a9..0fc3773 100644
+--- a/src/unshar.c
++++ b/src/unshar.c
+@@ -240,7 +240,7 @@ find_archive (char const * name, FILE * file, off_t start)
+       off_t position = ftello (file);
+ 
+       /* Read next line, fail if no more and no previous process.  */
+-      if (!fgets (rw_buffer, BUFSIZ, file))
++      if (!fgets (rw_buffer, rw_base_size, file))
+ 	{
+ 	  if (!start)
+ 	    error (0, 0, _("Found no shell commands in %s"), name);
+-- 
+2.13.6
+

sharutils.spec

@@ -1,7 +1,7 @@
 Summary:    The GNU shar utilities for packaging and unpackaging shell archives
 Name:       sharutils
 Version:    4.15.2
-Release:    8%{?dist}
+Release:    9%{?dist}
 # The main code:                GPLv3+
 # lib (gnulib):                 GPLv3+
 # lib/md5.c:                    Public Domain
@@ -14,6 +14,9 @@ Group:      Applications/Archiving
 Source:     ftp://ftp.gnu.org/gnu/%{name}/%{name}-%{version}.tar.xz
 # Pass compilation with -Werror=format-security, bug #1037323
 Patch0:     %{name}-4.14.2-Pass-compilation-with-Werror-format-security.patch
+# Fix a heap buffer overflow in find_archive(), bug #1548019,
+# <http://lists.gnu.org/archive/html/bug-gnu-utils/2018-02/msg00004.html>
+Patch1:     %{name}-4.15.2-Fix-a-heap-buffer-overflow-in-find_archive.patch
 URL:        http://www.gnu.org/software/%{name}/
 BuildRequires:      binutils
 BuildRequires:      coreutils
@@ -45,6 +48,7 @@ the shar files.
 %prep
 %setup -q
 %patch0 -p1 -b .format
+%patch1 -p1
 
 # convert TODO, THANKS to UTF-8
 for i in TODO THANKS; do
@@ -82,6 +86,9 @@ fi
 %{_mandir}/man5/*
 
 %changelog
+* Thu Feb 22 2018 Petr Pisar <ppisar@redhat.com> - 4.15.2-9
+- Fix a heap buffer overflow in find_archive() (bug #1548019)
+
 * Fri Feb 09 2018 Fedora Release Engineering <releng@fedoraproject.org> - 4.15.2-8
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild